On Wednesday 12 June 2013, William A. Rowe Jr. wrote: > In fact, the patch's docs text is wrong on the face of it; > > "Enabling compression causes security issues in most setups (the > so called +CRIME attack)" > > This is true of specific setups where the user agent simultaneously > shares a compression dictionary between different client > applications where one may be nefarious. The vulnerability is to > permit an untrusted agent (script) to share a single SSL and zlib > session with a trusted/secured agent. This is a flaw on multiple > levels, not just limited to zlib compression packet sizes.
That's the browsers' broken "security model". I completely agree that this is a flaw on multiple levels, but browser vendors won't change it. They simply disabled compression to fix the CRIME issue. > I'd like an accurate svn commit message? Is that a bit much to > ask? Or are we expected to troll through archives on every simple > inquiry? Noting the reviewers of a backport in the commit message is entirely optional, IMHO. If it isn't, it should be documented somewhere.
